Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return non-retryable errors on transit encrypt and decrypt failures #13111

Merged
merged 9 commits into from Nov 15, 2021
Merged

Return non-retryable errors on transit encrypt and decrypt failures #13111

merged 9 commits into from Nov 15, 2021

Conversation

schultz-is
Copy link
Contributor

This also address an issue found with transit encrypt and decrypt paths where a single batch item failure would abort the whole batch and simply return a top-level error.

@vercel vercel bot temporarily deployed to Preview – vault November 10, 2021 22:18 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 10, 2021 22:18 Inactive
@schultz-is schultz-is marked this pull request as ready for review November 10, 2021 22:18
@vercel vercel bot temporarily deployed to Preview – vault November 10, 2021 22:21 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 10, 2021 22:21 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 11, 2021 19:27 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 11, 2021 19:27 Inactive
victorr
victorr approved these changes Nov 12, 2021
View reviewed changes
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a suggestion but it looks good to me 👍

builtin/logical/transit/path_decrypt_test.go Outdated
map[string]interface{}{"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA==", "context": "dGVzdGNvbnRleHQ="},
map[string]interface{}{"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA==", "context": "dGVzdGNvbnRleHQ="},
// Encrypt some values for use in test cases.
plaintextItems := []BatchRequestItem{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not that it matters a whole lot, but instead of using BatchRequestItem couldn't you simply use an anonymous struct here, as the only fields that really matter for the test are the plaintext an the context?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, so the reason I did this is mainly for convenience. In order for the encrypt request to work, the batch_input field has to be specifically a []interface{}, which precludes map indexing without type assertions to a map[string]interface{}. I just made this as kind of a source of truth lookup table for easy test definitions. It lets me define test input and output without duplicating the strings inline in each test.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that using a struct is a good idea. I was suggesting using an anonymous struct rather than BatchRequestItem since the latter has many more fields that are not really relevant to the tests.

Something like:

plaintextItems := []struct{
    plaintext, context string
}{
...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha, I see what you mean now. I can certainly use an inline struct here to make the the data more directly relevant to tests. Thanks for explaining that!

builtin/logical/transit/path_decrypt_test.go Show resolved Hide resolved
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 12, 2021 16:46 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 12, 2021 16:46 Inactive
@schultz-is
Copy link
Contributor Author

After a discussion about partial batch error handling, there are some more changes coming with this PR before it is fully ready. Namely, we've decided to return HTTP errors on partial failures with non-retryable HTTP 400's taking precedence over retryable HTTP 500's. Some of the tests will be slightly reworked to accommodate this behavior.

@vercel vercel bot temporarily deployed to Preview – vault-storybook November 12, 2021 20:00 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 12, 2021 20:00 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 12, 2021 20:00 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 12, 2021 20:00 Inactive
@schultz-is
Copy link
Contributor Author

Alright, this should be ready for review again. Thanks y'all!

victorr
victorr requested changes Nov 15, 2021
View reviewed changes
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes are good but I'm finishing the review with "request changes" as I think the non-batch encrypt/decrypt operations need the check for the right response code.

builtin/logical/transit/path_decrypt.go Show resolved Hide resolved
builtin/logical/transit/path_decrypt_test.go Outdated
map[string]interface{}{"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA==", "context": "dGVzdGNvbnRleHQ="},
map[string]interface{}{"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA==", "context": "dGVzdGNvbnRleHQ="},
// Encrypt some values for use in test cases.
plaintextItems := []BatchRequestItem{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that using a struct is a good idea. I was suggesting using an anonymous struct rather than BatchRequestItem since the latter has many more fields that are not really relevant to the tests.

Something like:

plaintextItems := []struct{
    plaintext, context string
}{
...

builtin/logical/transit/path_decrypt_test.go Show resolved Hide resolved
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 15, 2021 18:52 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 15, 2021 18:52 Inactive
Matt Schultz added 5 commits November 15, 2021 12:52
Simplify transit batch error message generation when ciphertext is em…
d361182 
…pty.
Return error HTTP status codes in transit on partial batch decrypt fa…
6a3c894 
…ilure.
Return error HTTP status codes in transit on partial batch encrypt fa…
adc1981 
…ilure.
Properly account for non-batch transit decryption failure return. Sim…
cb1c410 
…plify transit batch decryption test data. Ensure HTTP status codes are expected values on batch transit batch decryption partial failure.
Properly account for non-batch transit encryption failure return. Act…
56ca935 
…ually return error HTTP status code on transit batch encryption failure (partial or full).
@vercel vercel bot temporarily deployed to Preview – vault November 15, 2021 18:52 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 15, 2021 18:52 Inactive
victorr
victorr approved these changes Nov 15, 2021
View reviewed changes
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@schultz-is
Copy link
Contributor Author

Thanks y'all!

@schultz-is schultz-is merged commit 7c651e7 into main Nov 15, 2021
@schultz-is schultz-is deleted the schultz/vault-4153 branch November 15, 2021 21:53
@victorr
Copy link
Contributor

victorr commented Nov 16, 2021

Closes #10842

@victorr victorr mentioned this pull request Nov 17, 2021
Closed
qk4l pushed a commit to qk4l/vault that referenced this pull request Feb 4, 2022
@schultz-is
Return non-retryable errors on transit encrypt and decrypt failures (h…
6eeab77 
…ashicorp#13111)

* Return HTTP 400s on transit decrypt requests where decryption fails. (hashicorp#10842)

* Don't abort transit batch encryption when a single batch item fails.

* Add unit tests for updated transit batch decryption behavior.

* Add changelog entry for transit encrypt/decrypt batch abort fix.

* Simplify transit batch error message generation when ciphertext is empty.

* Return error HTTP status codes in transit on partial batch decrypt failure.

* Return error HTTP status codes in transit on partial batch encrypt failure.

* Properly account for non-batch transit decryption failure return. Simplify transit batch decryption test data. Ensure HTTP status codes are expected values on batch transit batch decryption partial failure.

* Properly account for non-batch transit encryption failure return. Actually return error HTTP status code on transit batch encryption failure (partial or full).
@ethan-lowman-dd ethan-lowman-dd mentioned this pull request May 22, 2023
Open
@cipherboy cipherboy mentioned this pull request Jun 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorr victorr victorr approved these changes

@stevendpclark stevendpclark stevendpclark approved these changes

@sgmiller sgmiller Awaiting requested review from sgmiller

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@schultz-is @victorr @stevendpclark